What began as a two-hour morning outage spanned well into the afternoon as Twitter, Reddit, Spotify, Github, and many other popular websites and services became effectively inaccessible for many American web users, especially those on the East Coast.

The websites were not targeted individually. Instead, an unknown attacker deployed a massive botnet to wage a distributed denial-of-service attack on Dyn (pronounced like dine), the domain name service (DNS) provider that they all share.

A distributed denial of service attack, or DDoS, is not an uncommon attack on the web, and web hosts have been fending them off for years. But according to reports, Friday’s attack was distinguished by its distinctive approach. The perpetrator used a botnet composed of so-called “internet-of-things” devices—namely, webcams and DVRs—to spam Dyn with more requests than it could handle.

“It could be orange elephants who became literate, for all we know.”

Security researchers have been warning about these internet-of-things botnets since at least the summer. In September, a botnet composed of DVRs and CCTVs took down the blog of Brian Krebs, a prominent cybersecurity journalist. And on October 1, an anonymous developer posted source code online that allowed anyone to string a similar kind of botnet together.

Krebs wrote that releasing that software, called Mirai, “virtually [guaranteed] that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”

The first of those attacks to be successful on a broadly destructive scale transpired on Friday.

“This feels new,” Bruce Schneier, a long-time computer-security researcher, told me by phone on Friday. “There hasn’t been a successful attack like this before.” There have been many unsuccessful ones that may have been larger, he added.

Andy Ellis, the chief security officer at Akamai, agreed. Akamai is one of the largest distributed cloud services on the web, serving between 15 and 30 percent of all web traffic. Some of its DNS products compete with Dyn’s.

“You never know how big an attack is on someone else,” said Ellis. He said this was a “watch-and-see” moment: Until Dyn describes the attack further, the security community would not know if this was an attack of unprecedented size or if it was one that had happened to find a specific weakness.

Neither Schneier nor Ellis would speculate about who might have perpetrated the attack.

“It could be orange elephants who became literate, for all we know,” Schneier said. “It might be three guys in Topeka.”

On his website, Krebs pointed out that a Dyn security researcher gave a talk on Thursday about the perils of internet-of-things botnets and the history of one DDoS mitigation firm in particular. Sometimes a retribution-style attack can follow a presentation of this type.

The attack demonstrates the fearsome power of internet-of-things botnets. Last month, Schneier argued in Motherboardthat the government must regulate internet-of-things cybersecurity. “The market can’t fix this because neither the buyer nor the seller cares,” he wrote:

What this all means is that the [internet of things] will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on [internet of things] manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

Ellis struck a less apocalyptic tone when he described the situation on the phone to me.

“Historically, when you see new attack capabilities show up —in volume or type of attack—you see some outages, then you see people adapting, then people make the investments needed to scale up infrastructure,” he said.

This isn’t even the first immobilizing attack on a DNS server ever. On the morning of June 15, 2004, a DDoS assault on Akamai’s DNS servers effectively blocked access to the websites of Apple, Google, Microsoft, and Yahoo. That outage did not last as long as Friday’s assault, though.

DNS is also especially vulnerable to a sustained attack, because DNS providers don’t necessarily update their records in real time. On Friday, for instance, Github changed its DNS provider so that its visitors would be rerouted to a new server. But it will take until Saturday or Sunday for that change to propagate across the internet.

Ellis said that some companies might react to the attack on Dyn by using many different DNS name servers at once—so that if one came under attack, others would take its place—many will “weather it out and wait to see what Dyn will do,” Ellis said.

“The internet isn’t down,” he added. “Packets are still getting through.” Only one DNS provider was ever blocked, he said. The rest of the infrastructure still work—even if Twitter, Reddit, Spotify, and the Times were all, for a time, essentially inaccessible.

Ellis told me to look on the bright side: “Productivity is up, because all the things that people use to procrastinate at work are down.”

Most Popular

Five times a day for the past three months, an app called WeCroak has been telling me I’m going to die. It does not mince words. It surprises me at unpredictable intervals, always with the same blunt message: “Don’t forget, you’re going to die.”

Sending these notices is WeCroak’s sole function. They arrive “at random times and at any moment just like death,” according to the app’s website, and are accompanied by a quote meant to encourage “contemplation, conscious breathing or meditation.” Though the quotes are not intended to induce nausea and despair, this is sometimes their effect. I’m eating lunch with my husband one afternoon when WeCroak presents a line from the Zen poet Gary Snyder: “The other side of the ‘sacred’ is the sight of your beloved in the underworld, dripping with maggots.”

The president is the common thread between the recent Republican losses in Alabama, New Jersey, and Virginia.

Roy Moore was a uniquely flawed and vulnerable candidate. But what should worry Republicans most about his loss to Democrat Doug Jones in Tuesday’s U.S. Senate race in Alabama was how closely the result tracked with the GOP’s big defeats last month in New Jersey and Virginia—not to mention how it followed the pattern of public reaction to Donald Trump’s perpetually tumultuous presidency.

Jones beat Moore with a strong turnout and a crushing lead among African Americans, a decisive advantage among younger voters, and major gains among college-educated and suburban whites, especially women. That allowed Jones to overcome big margins for Moore among the key elements of Trump’s coalition: older, blue-collar, evangelical, and nonurban white voters.

Brushing aside attacks from Democrats, GOP negotiators agree on a late change in the tax bill that would reduce the top individual income rate even more than originally planned.

For weeks, Republicans have brushed aside the critique—brought by Democrats and backed up by congressional scorekeepers and independent analysts—that their tax plan is a bigger boon to the rich than a gift to the middle class.

On Wednesday, GOP lawmakers demonstrated their confidence as clearly as they could, by giving a deeper tax cut to the nation’s top earners.

A tentative agreement struck by House and Senate negotiators would reduce the highest marginal tax rate to 37 percent from 39.6 percent, in what appears to be the most significant change to the bills passed by each chamber in the last month. The proposal final tax bill would also reduce the corporate tax rate from 35 percent to 21 percent, rather than the 20 percent called for in the initial House and Senate proposals, according to a Republican aide privy to the private talks.

If Democratic candidate Doug Jones had lost to GOP candidate Roy Moore, weakened as he was by a sea of allegations of sexual assault and harassment, then some of the blame would have seemed likely to be placed on black turnout.

But Jones won, according to the Associated Press, and that script has been flipped on its head. Election Day defied the narrative and challenged traditional thinking about racial turnout in off-year and special elections. Precincts in the state’s Black Belt, the swathe of dark, fertile soil where the African American population is concentrated, long lines were reported throughout the day, and as the night waned and red counties dominated by rural white voters continued to report disappointing results for Moore, votes surged in from urban areas and the Black Belt. By all accounts, black turnout exceeded expectations, perhaps even passing previous off-year results. Energy was not a problem.

Russia's strongman president has many Americans convinced of his manipulative genius. He's really just a gambler who won big.

I. The Hack

The large, sunny room at Volgograd State University smelled like its contents: 45 college students, all but one of them male, hunched over keyboards, whispering and quietly clacking away among empty cans of Juicy energy drink. “It looks like they’re just picking at their screens, but the battle is intense,” Victor Minin said as we sat watching them.

Clustered in seven teams from universities across Russia, they were almost halfway into an eight-hour hacking competition, trying to solve forensic problems that ranged from identifying a computer virus’s origins to finding secret messages embedded in images. Minin was there to oversee the competition, called Capture the Flag, which had been put on by his organization, the Association of Chief Information Security Officers, or ARSIB in Russian. ARSIB runs Capture the Flag competitions at schools all over Russia, as well as massive, multiday hackathons in which one team defends its server as another team attacks it. In April, hundreds of young hackers participated in one of them.

There’s a fiction at the heart of the debate over entitlements: The carefully cultivated impression that beneficiaries are simply receiving back their “own” money.

One day in 1984, Kurt Vonnegut called.

I was ditching my law school classes to work on the presidential campaign of Walter Mondale, the Democratic candidate against Ronald Reagan, when one of those formerly-ubiquitous pink telephone messages was delivered to me saying that Vonnegut had called, asking to speak to one of Mondale’s speechwriters.

All sorts of people called to talk to the speechwriters with all sorts of whacky suggestions; this certainly had to be the most interesting. I stared at the 212 phone number on the pink slip, picked up a phone, and dialed.

A voice, so gravelly and deep that it seemed to lie at the outer edge of the human auditory range, rasped, “Hello.” I introduced myself. There was a short pause, as if Vonnegut were fixing his gaze on me from the other end of the line, then he spoke.

In The Emotional Life of the Toddler, the child-psychology and psychotherapy expert Alicia F. Lieberman details the dramatic triumphs and tribulations of kids ages 1 to 3. Some of her anecdotes make the most commonplace of experiences feel like they should be backed by a cinematic instrumental track. Take Lieberman’s example of what a toddler feels while walking across the living room:

When Johnny can walk from one end of the living room to the other without falling even once, he feels invincible. When his older brother intercepts him and pushes him to the floor, he feels he has collapsed in shame and wants to bite his attacker (if only he could catch up with him!) When Johnny’s father rescues him, scolds the brother, and helps Johnny on his way, hope and triumph rise up again in Johnny’s heart; everything he wants seems within reach. When the exhaustion overwhelms him a few minutes later, he worries that he will never again be able to go that far and bursts into tears.

So many people watch porn online that the industry’s carbon footprint might be worse now that it was in the days of DVDs and magazines.

Online streaming is a win for the environment. Streaming music eliminates all that physical material—CDs, jewel cases, cellophane, shipping boxes, fuel—and can reduce carbon-dioxide emissions by 40 percent or more. Video streaming is still being studied, but the carbon footprint should similarly be much lower than that of DVDs.

Scientists who analyze the environmental impact of the internet tout the benefits of this “dematerialization,” observing that energy use and carbon-dioxide emissions will drop as media increasingly can be delivered over the internet. But this theory might have a major exception: porn.

Since the turn of the century, the pornography industry has experienced two intense hikes in popularity. In the early 2000s, broadband enabled higher download speeds. Then, in 2008, the advent of so-called tube sites allowed users to watch clips for free, like people watch videos on YouTube. Adam Grayson, the chief financial officer of the adult company Evil Angel, calls the latter hike “the great mushroom-cloud porn explosion of 2008.”

Will the vice president—and the religious right—be rewarded for their embrace of Donald Trump?

No man can serve two masters, the Bible teaches, but Mike Pence is giving it his all. It’s a sweltering September afternoon in Anderson, Indiana, and the vice president has returned to his home state to deliver the Good News of the Republicans’ recently unveiled tax plan. The visit is a big deal for Anderson, a fading manufacturing hub about 20 miles outside Muncie that hasn’t hosted a sitting president or vice president in 65 years—a fact noted by several warm-up speakers. To mark this historic civic occasion, the cavernous factory where the event is being held has been transformed. Idle machinery has been shoved to the perimeter to make room for risers and cameras and a gargantuan American flag, which—along with bleachers full of constituents carefully selected for their ethnic diversity and ability to stay awake during speeches about tax policy—will serve as the TV-ready backdrop for Pence’s remarks.

In analyzing Doug Jones’s surprise win, the pundit-in-chief misconstrues the race and elides his own role in Moore’s defeat.

Doug Jones’s victory in the U.S. Senate race in Alabama on Tuesday poses a quandary to Republicans at all levels—but to none more than President Trump. The results of the race demonstrate the limitations of both his political power and of his self-appointed role as pundit-in-chief. He is more interested in being right than in winning—but on Tuesday, he did neither.

The president offered a series of somewhat contradictory responses to the race between Tuesday night and Wednesday morning. Late Tuesday, he tweeted:

Congratulations to Doug Jones on a hard fought victory. The write-in votes played a very big factor, but a win is a win. The people of Alabama are great, and the Republicans will have another shot at this seat in a very short period of time. It never ends!